TorrentLocker targets Windows OS and, although sometimes it identifies itself as CryptoLocker, it is not related. This ransomware is most commonly spread via spam emails relating to unpaid invoices, package delivery, and unpaid speeding tickets. Once executed, malware files are installed in the %AppData%, %Temp%, or %WinDir% folders of the infected system, all system drives and network shares are scanned for files to encrypt, and all Shadow Volume Copies are deleted to prevent data restoration. TorrentLocker appends .encrypted or .enc to encrypted files.

UPDATE 3/1/2017: A new campaign distributing TorrentLocker (also known as Crypt0L0cker or Teerac) has emerged targeting European countries. It is currently being distributed through phishing emails with malicious JavaScript attachments masquerading as invoices. In Italy, the malicious actors behind the campaign are using Italy’s Posta Elettronica Certificata, or certified electronic mail system, in an attempt to convince the recipients that the phishing emails are legitimate and safe. In addition, Softpedia reports that TorrentLocker now has the ability to spread through shared files.

  • Sophos Labs provides more information about TorrentLocker, found here.
  • Bleeping Computer provides more information about TorrenLocker, found here.
  • The NJCCIC is not aware of a decryption tool available for TorrentLocker.

One example of the TorrentLocker variant. Image Source: Bleeping Computer